The LuxSci FYI Blog

by Erik Kangas, PhD, CEO

Posts Tagged ‘secure email’

SSL versus TLS

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where that data is being sent across an insecure network, such as checking your email (How does the Secure Socket Layer work?). The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. With this said though, is there actually a practical difference between the two?

Protected health information (PHI) is heavily regulated under HIPAA, but the exact details can be confusing. The regulations are designed to keep everyone’s private information safe, but they also put a significant amount of responsibility on businesses.

HIPAA regulations apply to just about every aspect of a person’s medical information, including their transit, storage and security. Because email is such an important and extensively-used form of communication, HIPAA regulations apply to it as well.

Some may think that secure and encrypted email is all you need to keep PHI safe and emails compliant. The reality is that HIPAA email regulations go above and beyond standard secure email. To protect your business, you need to make sure that your email provider is HIPAA-compliant, not just secure.

New series further explains secure email, texting, websites, web forms and email marketing.

BOSTON, MA – May 30, 2017 – LuxSci (www.luxsci.com), the HIPAA-compliant Internet and Email Security experts, have just released their 3-part eBook series on HIPAA-compliant communications, aimed at healthcare organizations in need of additional information to help them better understand the methods and technologies available for safeguarding their practice and protecting patient privacy.

In the first eBook, “HIPAA-Compliant Email Basics”, LuxSci discusses HIPAA and ePHI, the provisions of the HIPAA email security rule, risk analysis and the need for encryption, and take a closer look at Gmail and Google Apps.

The next eBook, “HIPAA-Compliant Website Basics”, defines what is required from HIPAA-compliant websites, website hosting, and web forms.

Erik Kangas, Ph.D. and CEO of LuxSci says, “Online communications technologies are pervasive and they can really help a healthcare organization stay current and engaged. Understanding the technologies, the risks, and the best practices are the first steps to getting started in a productive, compliant, and profitable direction. These eBooks provide a great deal of guidance, enabling you to get started quickly.“

To download these free eBooks and find out how LuxSci can help with HIPAA compliance, click here.

We get calls and text messages from pharmacies like CVS, reminding us that it is time to pick up and/or renew our prescriptions for drugs or other medical items. When you think about HIPAA, this is confusing. In many cases, these reminders constitute Protected Health Information (PHI) … so is this really allowed?

The default answer of “it must be OK if CVS is doing it” is naive as it loses all of the context about what is and is not permitted and does not shed any insight into when and how other organizations may similarly inform or remind patients of things such as prescriptions and appointments.

Is it really PHI?

Do you have an application or system that needs to send secure messages on demand? Do you need the flexibility to encrypt messages in different ways, to include files, HTML, and read receipts, or to have the messages be fully HIPAA compliant?

Everyone always harps on the necessity of privacy when discussing health care, government, and banking communications. It is surprising how little attention is paid to email security with regards to accounting and tax preparation. There is a real danger of identity theft, unintended information disclosure, as well as invasion of privacy when using tax preparation services or organizations that do not use secure email. Why is this?

LuxSci SecureForm is an easy way to add or enhance security and functionality to online forms you use to collect important information.

With a few clicks and a change of only 1-2 lines of your forms, you can receive the form data via secure email in a wide range of formats, save it to a LuxSci Documents WebAide (encryption optional) for future access, upload it to your own FTP or SFTP site, and/or send it directly to a MySQL database. You can even receive notifications via email or text message when new submissions arrive! SecureForm has many other great features such as Ink Signatures for contract signing and Spam blocking.

LuxSci has been approached by many people asking for VPN (Virtual Private Network) services. When we ask them why, they indicate that they use wireless hotspots (like at Starbucks and other public places) that are insecure and untrusted and they want to be sure that their email is secure and encrypted there.*

Note that even if the hotspot is password protected and “secure”, that does not mean that it is “trusted”. The hot stop administrators or other users of that hotspot could still try to intercept your Internet traffic. So, just because it is a “secure” hotspot with the little lock next to it and a password that you must enter, do not assume you are safe at all.

You buy a HIPAA compliant web hosting infrastructure. You configure your web site to send out email messages in the simplest way, e.g. through PHP mail, or some other generic and standard mechanism. You think you are all set — but you are not.

HIPAA compliant web hosting services provide a server infrastructure that allows you to be compliant; however, it doesn’t make you compliant. Your web designers must make choices and program your site so that it properly respectsePHI. If they do not do all the appropriate things, you will be out of compliance. E.g. see: 7 steps to make your web site HIPAA-secure.

In particular, email messages sent in the “normal way” from a web site will go out insecurely in a way that will violate the HIPAA Security Rule if they contain ePHI of any kind. E.g. they will not be encrypted and will not be archived.